[meta-freescale] [meta-fsl-ppc][PATCH 1/2] kernel: CVE-2014-7825, CVE-2014-7826

Sona Sarmadi sona.sarmadi at enea.com
Mon Mar 2 02:43:59 PST 2015 

Insufficient syscall number validation in perf and ftrace subsystems

CVE-2014-7825
Fixes an out-of-bounds memory access flaw, in the syscall tracing
functionality of the Linux kernel's perf subsystem.

CVE-2014-7826
Fixes an out-of-bounds memory access flaw, in the syscall
tracing functionality of the Linux kernel's ftrace subsystem.

References:
http://www.openwall.com/lists/oss-security/2014/11/06/11
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7825
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7826

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../tracing-CVE-2014-7825_CVE-2014-7826.patch      | 94 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch

diff --git a/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
new file mode 100644
index 0000000..cc90f7d
--- /dev/null
+++ b/recipes-kernel/linux/files/tracing-CVE-2014-7825_CVE-2014-7826.patch
@@ -0,0 +1,94 @@
+From abc07cd01c51fb54088c6bc8ee654d104a5ec7d9 Mon Sep 17 00:00:00 2001
+From: Rabin Vincent <rabin at rab.in>
+Date: Wed, 29 Oct 2014 23:06:58 +0100
+Subject: [PATCH] tracing/syscalls: Ignore numbers outside NR_syscalls' range
+
+commit 086ba77a6db00ed858ff07451bedee197df868c9 upstream.
+
+ARM has some private syscalls (for example, set_tls(2)) which lie
+outside the range of NR_syscalls.  If any of these are called while
+syscall tracing is being performed, out-of-bounds array access will
+occur in the ftrace and perf sys_{enter,exit} handlers.
+
+ # trace-cmd record -e raw_syscalls:* true && trace-cmd report
+ ...
+ true-653   [000]   384.675777: sys_enter:            NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
+ true-653   [000]   384.675812: sys_exit:             NR 192 = 1995915264
+ true-653   [000]   384.675971: sys_enter:            NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
+ true-653   [000]   384.675988: sys_exit:             NR 983045 = 0
+ ...
+
+ # trace-cmd record -e syscalls:* true
+ [   17.289329] Unable to handle kernel paging request at virtual address aaaaaace
+ [   17.289590] pgd = 9e71c000
+ [   17.289696] [aaaaaace] *pgd=00000000
+ [   17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
+ [   17.290169] Modules linked in:
+ [   17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
+ [   17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
+ [   17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
+ [   17.290866] LR is at syscall_trace_enter+0x124/0x184
+
+Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
+
+Commit cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+added the check for less than zero, but it should have also checked
+for greater than NR_syscalls.
+
+Fixes CVE-2014-7825 and CVE-2014-7826
+Upstream-Status: Backport
+
+Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
+
+Fixes: cd0980fc8add "tracing: Check invalid syscall nr while tracing syscalls"
+Signed-off-by: Rabin Vincent <rabin at rab.in>
+Signed-off-by: Steven Rostedt <rostedt at goodmis.org>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ kernel/trace/trace_syscalls.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
+index 559329d..d8ce71b 100644
+--- a/kernel/trace/trace_syscalls.c
++++ b/kernel/trace/trace_syscalls.c
+@@ -312,7 +312,7 @@ static void ftrace_syscall_enter(void *data, struct pt_regs *regs, long id)
+ 	int size;
+ 
+ 	syscall_nr = trace_get_syscall_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, tr->enabled_enter_syscalls))
+ 		return;
+@@ -354,7 +354,7 @@ static void ftrace_syscall_exit(void *data, struct pt_regs *regs, long ret)
+ 	int syscall_nr;
+ 
+ 	syscall_nr = trace_get_syscall_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, tr->enabled_exit_syscalls))
+ 		return;
+@@ -557,7 +557,7 @@ static void perf_syscall_enter(void *ignore, struct pt_regs *regs, long id)
+ 	int size;
+ 
+ 	syscall_nr = trace_get_syscall_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, enabled_perf_enter_syscalls))
+ 		return;
+@@ -631,7 +631,7 @@ static void perf_syscall_exit(void *ignore, struct pt_regs *regs, long ret)
+ 	int size;
+ 
+ 	syscall_nr = trace_get_syscall_nr(current, regs);
+-	if (syscall_nr < 0)
++	if (syscall_nr < 0 || syscall_nr >= NR_syscalls)
+ 		return;
+ 	if (!test_bit(syscall_nr, enabled_perf_exit_syscalls))
+ 		return;
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index 527daf4..e7af627 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -35,6 +35,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://0002-shmem-CVE-2014-4171.patch \
     file://0003-shmem-CVE-2014-4171.patch \
     file://fs-CVE-2014-4014.patch \
+    file://tracing-CVE-2014-7825_CVE-2014-7826.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list